Selected article

XMPP is typically seen as an Instant Messaging (IM) system. However, we at Tigase think a better abbreviation would be Instant Communication (IC) system. IM seems a bit restricted to human interactions, like a better SMS or a better e-mail.

You are here

SCRAM-SHA1 Authentication Added

By Daniel on July 28, 2016

Tigase XMPP Server now offers the added security of SCRAM or Salted Challenge Response Authentication Mechanism using the SHA-1 hashing algorithm. This method of authentication allows for a more secure exchange of passwords since they can now be encrypted. Not only this, but the mechanism also provides for protection of a man-in-the-middle attack on Tigase XMPP Servers.

Securing a password is a basic must do for IT security, however some login methods transmit usernames and passwords in plaintext, which can be intercepted over the line. SCRAM addresses this by using a SHA-1 hash to encrypt the password being sent. The basic process works like this: The username is sent in plaintext to the server from the client. The server responds by sending a salt to the client, which is a random sequence of 8-bit bytes. The client then hashes the salt and the password and sends that encrypted message to the server. The server then rehashes what the client sent using a different encryption variation and that is sent back to the client. Now both client and server have not only exchanged passwords, but have verified that both parties have the proper username and password.

As you can see, it makes it very difficult for any third party to be able to intercept communications and decrypt information without prior knowledge of both username and passwords. This feature is now available in the nightly build of Tigase XMPP Server, and will be available with v7.1.0. It is also enabled by default to compatible clients can use this mechanism.